How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

Content provided by Microsoft

Microsoft Windows Server 2003, Standard Edition (32-bit x86)

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

Microsoft Windows Server 2003, Enterprise x64 Edition

Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

Microsoft Windows XP Professional

Microsoft Windows XP Tablet PC Edition

Microsoft Windows Small Business Server 2003 Premium Edition

Microsoft Windows Small Business Server 2003 Standard Edition

Select Product Version

Summary

Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack. Therefore, you may want to prevent Windows from storing an LM hash of your password. This article describes how to do this so that Windows only stores the stronger NT hash of your password.

More Information

Windows 2000-based servers and Windows Server 2003-based servers can authenticate users who connect from computers that are running all earlier versions of Windows. However, versions of Windows earlier than Windows 2000 do not use Kerberos for authentication. For backward compatibility, Windows 2000 and Windows Server 2003 support LAN Manager (LM) authentication, Windows NT (NTLM) authentication, and NTLM version 2 (NTLMv2) authentication. The NTLM, NTLMv2, and Kerberos all use the NT hash, also known as the Unicode hash. The LM authentication protocol uses the LM hash.

It is best to prevent storage of the LM hash if you do not need it for backward compatibility. If your network contains Windows 95, Windows 98, or Macintosh clients, you may experience the following problems if you prevent the storage of LM hashes for your domain:

Users without an LM hash will not be able to connect to a Windows 95-based computer or a Windows 98-based computer that is acting as a server unless the Directory Services Client for Windows 95 and Windows 98 is installed on the server.

Users on Windows 95-based computers or Windows 98-based computers will not be able to authenticate to servers by using their domain account unless they have the Directory Services Client installed on their computers.

Users on Windows 95-based computers or Windows 98-based computers will not be able to authenticate by using a local account on a server if the server has disabled LM hashes unless they have the Directory Services Client installed on their computers.

Users may not be able to change their domain passwords from a Windows 95-based computer or a Windows 98-based computer, or they may experience account lockout issues when they try to change their passwords from these earlier clients.

Users of Macintosh Outlook 2001 clients may not be able to access their mailboxes on Microsoft Exchange servers. Users may see the following error in Outlook:

The logon credentials supplied were incorrect. Make sure your username and domain are correct, then type your password again.

To prevent Windows from storing an LM hash of your password, use any of the following methods.

Method 1: Implement the NoLMHash Policy by Using Group Policy

To disable the storage of LM hashes of a user's passwords in the local computer's SAM database by using Local Group Policy (Windows XP or Windows Server 2003) or in a Windows Server 2003 Active Directory environment by using Group Policy in Active Directory (Windows Server 2003), follow these steps:

In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.

Click Enabled, and then click OK.

Method 2: Implement the NoLMHash Policy by Editing the Registry

In Windows 2000 Service Pack 2 (SP2) and later, use one of the following procedures to prevent Windows from storing an LM hash value on your next password change.

Windows 2000 SP2 and Later

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Important The NoLMHash registry key and its functionality were not tested or documented and should be considered unsafe to use in production environments before Windows 2000 SP2.

To add this key by using Registry Editor, follow these steps:

Start Registry Editor (Regedt32.exe).

Locate and then click the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

On the Edit menu, click Add Key, type NoLMHash, and then press ENTER.

Quit Registry Editor.

Restart the computer, and then change your password to make the setting active.

Notes

This registry key change must be made on all Windows 2000 domain controllers to disable the storage of LM hashes of users' passwords in a Windows 2000 Active Directory environment.

This registry key prevents new LM hashes from being created on Windows 2000-based computers, but it does not clear the history of previous LM hashes that are stored. Existing LM hashes that are stored will be removed as you change passwords.

Windows XP and Windows Server 2003

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

This registry change must be made on all Windows Server 2003 domain controllers to disable the storage of LM hashes of users' passwords in a Windows 2003 Active Directory environment. If you are a domain administrator, you can use Active Directory Users and Computers Microsoft Management Console (MMC) to deploy this policy to all domain controllers or all computers on the domain as described in Method 1 (Implement the NoLMHash Policy by Using Group Policy).

This DWORD value prevents new LM hashes from being created on Windows XP-based computers and Windows Server 2003-based computers. The history of all previous LM hashes is cleared when you complete these steps.

Important If you are creating a custom policy template that may be used on both Windows 2000 and Windows XP or Windows Server 2003, you can create both the key and the value. The value is in the same place as the key, and a value of 1 disables LM hash creation. The key is upgraded when a Windows 2000 system is upgraded to Windows Server 2003. However, it is okay if both settings are in the registry.

Method 3: Use a Password That Is at Least 15 Characters Long

The simplest way to prevent Windows from storing an LM hash of your password is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user.